Data compromises - what you need to do

Get on top of the problem

If you do suffer the unfortunate effects of a compromise, it's important to have a response plan specific to your business. If you suspect or experience a compromise, contact us immediately on 0800 161 5350 and take the following steps:

  1. Ensure that no-one can access or alter compromised systems
  2. Isolate the compromised systems from your network and unplug any network cables without turning the systems off
  3. Preserve all logs and similar electronic evidence
  4. Perform a back-up of your systems to preserve their current state, which will facilitate any subsequent investigations
  5. Log all actions you take
  6. Seek advice before you process any further transactions

If you experience a data breach we'll work with you to understand your flow of transactions, how and where your data is stored and identify any weak points in your transaction processes.

Based on the level of compromise, we’ll work with you to decide how the investigation should proceed and whether it requires the involvement of a PCI Forensic Investigator (PFI) to examine your network hardware and software. This can take a number of months and could involve a substantial cost to your business.

You’ll also need to report the theft to the police and obtain a crime reference. We’ll keep an open dialogue with the Card Schemes throughout the process and keep them up to date with how the investigation is going.

Penalties and fines

Once the Card Schemes reviewed the forensic findings, they will decide if fines are required. These will be passed on to you as per your Merchant Agreement. It’s also important to make sure that the agreements you have with your Service Providers include the provision for compensation should they be identified as the point of compromise.

You may also be faced with penalties even when no breach has occurred. Non-compliance fines can be levied for the failure to undertake due diligence to ensure your Third Parties/Service Providers/Merchant Agents are and remain compliant with the PCI DSS.

What you need to do next

Businesses that are compromised have their PCI status set to Level 1 for 12 months from the date they become PCI DSS compliant. This means having to pay for the services of a Qualified Security Assessor (QSA) to complete the final Self Assessment Questionnaire (SAQ) or full Report on Compliance.

If a business is found to be storing any sensitive authentication data post-authentication, they must remove it within 30 days of the date the investigation begins otherwise they will remain non compliant. They must then change their processes and systems to eliminate any post-authorisation storage in the future.

If you find yourself in this situation, you then have up to a further 60 days to demonstrate that:
  • your network perimeter is secured
  • your payment application/process is secured
  • monitoring and access control is in place